In a tight presidential race, it's no surprise that both campaigns are doing everything they can to mine their users' browsing history and target their political ads online. But neither campaign, it seems, is doing a very careful job of keeping a tight lid on the information they collect.

In a post Thursday morning, Stanford Center for Internet Society graduate student Jonathan Mayer published a detailed account of leaks of personally identifying information on both BarackObama.com and MittRomney.com to a wide collection of third-party firms, despite the campaigns' claims that all the information they collect and share with Web tracking firms for ad-targeting was carefully anonymized. "The campaigns are wrong," Mayer writes. "Tracking data is very often identified or identifiable...Even a little identifying information leakage thoroughly undermines the privacy properties of web tracking: once a user’s identity leaks to a tracker, all of the tracker’s past, present, and future data about the user becomes identifiable."

Mayer found that both campaigns included identifying information about the user in page headers and URLS of pages, parts of the sites that are visible to a wide range of companies including Akamai, Amazon, Chartbeat, Comscore, Facebook and Google, among others. The most common identifying detail leaked was the visitor's username, which often includes elements of his or her real name, but other pages also included full names, street addresses and ZIP codes, and partial email addresses.

Those findings contradict both campaigns' response to a New York Times piece about the use of third party tracking that ran over the weekend. "Officials with both campaigns emphasize that such data collection is 'anonymous' because third-party companies use code numbers, not real names, to track site visitors," the paper wrote.

"The Times coverage piqued my curiosity," Mayer writes. "Are the campaigns identifying their supporters to third-party trackers? Are they directly undermining the anonymity properties that they are so quick to invoke? Yes, they are."

The two campaigns are hardly the first to leak identifying data to third party firms or misrepresent their privacy practices. As Mayer points out, both Facebook and MySpace were targeted by FTC complaints of deception for similar issues over the last year.

In fact, the kinds of flaws Mayer is pointing out are so common that they could be dismissed as Internet business as usual: Another study by Mayer last year found that half of all sites he tested leaked identifying information. But the privacy blunders that Mayer has identified take on a new significance in the political realm, where Web users may seek to keep their political views distinct from their public identities for fear of discrimination or outside pressure.

"Companies and trade groups in the tracking business community frequently invoke unfounded claims of anonymity," writes Mayer. "My hope is that this episode serves as a learning opportunity and a reminder: there is no such thing as anonymous web tracking."